Demo Overview: Information Protection -...

Information ProtectionDemo Track

Last Updated: March 27, 2017

This document is provided “as-is”. Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.

© 2016 Microsoft. All rights reserved.

2

Demo Guide Information Protection

Table of ContentsDemo Overview: Information Protection........................................................................................................5

Scenario..................................................................................................................................................... 5Features..................................................................................................................................................... 5Intended Audience..................................................................................................................................... 5Length........................................................................................................................................................ 5Demo Prerequisites.................................................................................................................................... 5Access to the Azure Classic Portal..............................................................................................................6Demo Setup Steps...................................................................................................................................... 6

For the first time..................................................................................................................................... 6Prior to each demo presentation.............................................................................................................6

Demo: Information Protection with Azure RMS..............................................................................................7Opening..................................................................................................................................................... 7Content Classification.................................................................................................................................7

Content Based Automatic Classification..................................................................................................8User Initiated Classification.....................................................................................................................8Content Based Recommended Classification..........................................................................................9Re-classification and justification..........................................................................................................10Admin Experience.................................................................................................................................11

Enable Rights Management Integration with Exchange...........................................................................13Enable Rights Management Integration with SharePoint..........................................................................13Define Departmental Templates..............................................................................................................14Document Tracking and Revocation.........................................................................................................16Foxit Redaction (optional)........................................................................................................................16Protecting Siemens JT file format.............................................................................................................17

Demo Reset Instructions..............................................................................................................................17Appendix 1: Configure Your Demo Tenant...................................................................................................18

Add Your Authentication Phone and Email (for MFA verification) to Hero User:....................................18Grant Appropriate Product Licenses to Global Admin user and other Demo Personas:.........................18

Configure Information Protection Policies and Labels...............................................................................18Update and Add Sub-Labels..................................................................................................................19Create Credit Card Data Policy.............................................................................................................19Create Social Security Number Policy...................................................................................................19

[Optional] Configure RMS Templates........................................................................................................19Appendix 2: Configure Your Demo PC (Windows)........................................................................................20

Enable Document Protection for Content Classification............................................................................20Create a Windows 10 VM......................................................................................................................20Enable RMS Templates on Information Protection Labels.....................................................................20

3


Create a Local Account.............................................................................................................................20Sign in to Office Application.....................................................................................................................21Download Demo Assets............................................................................................................................21Install the Information Protection Add-in for PC........................................................................................21Set up Outlook Profile for Demo Persona..................................................................................................22

Appendix 3: Configure Your Demo Device (iOS)..........................................................................................23iOS Device Requirements.........................................................................................................................23

Install/Configure Outlook App...............................................................................................................23Install/Configure Azure Information Protection App..............................................................................23

4


Demo Overview: Information Protection ScenarioOrganizations no longer operate within their own perimeter. Data is traveling between users, devices, apps, and services more than ever before. And protecting your perimeter, users, or devices does not guarantee protection of your data as it travels outside of corporate boundaries. Just identifying the data that needs protection can be a major challenge.Azure Rights Management allows you to encrypt files and define permissions on the files that you share with others.Microsoft Azure Information Protection helps you classify and label your data at the time of creation. You can then apply protection to sensitive data, including encryption, authentication, and user rights.

FeaturesThis demo will cover the following technical scenarios highlighted:Scenario & Value Prop Technical Scenario Demo

Resources/Links

Classify, label and protect sensitive data

Content Based Automatic Classification Deep Dive GuideClick-Thru Guide

User Initiated ClassificationDeep Dive GuideClick-Thru Guide

Content Based Recommended ClassificationDeep Dive GuideClick-Thru Guide

Re-classification and justificationDeep Dive GuideClick-Thru Guide

Admin Experience Deep Dive Guide

Share sensitive data internally and externally

Enable Rights Management Integration with Exchange Deep Dive Guide

Enable Rights Management Integration with SharePoint Deep Dive Guide

Track usage of shared data and respond to data abuse Document Tracking and Revocation Deep Dive Guide

Intended AudienceIT Pros, Business Decision Makers, End Users

Length30 minutes

Demo Prerequisites This demo requires the following prerequisites:

5

http://moddemodocs.blob.core.windows.net/resources-prod/Azure%20Information%20Protection%20-%20Re-classification%20and%20justification%20Click%20Through.pptx

http://moddemodocs.blob.core.windows.net/resources-prod/Azure%20Information%20Protection%20-%20Content%20Based%20Recommended%20Classification%20Click%20Through.pptx

http://moddemodocs.blob.core.windows.net/resources-prod/Azure%20Information%20Protection%20-%20User%20Initiated%20Content%20Classification%20Click%20Through.pptx

http://moddemodocs.blob.core.windows.net/resources-prod/Azure%20Information%20Protection%20-%20Content%20Based%20Automatic%20Classification%20Click%20Through.pptx


A Microsoft Enterprise Mobility + Security (EMS) demo environment. See the EMS Demos Getting Started Guide for detailed instructions on creating your own demo environment.

A Windows PC or Virtual Machine running Windows 10 or above.NOTE: A non-domain joined PC or a Windows VM is required to show RMS and document protection demos using Office client applications.

An iOS device (iPhone or iPad) running the latest OS.

Access to the Azure Classic PortalAll demo scenarios documented in this guide use the new Azure Portal. For some advanced management scenarios that are not yet available in the new Azure portal (and not documented in this guide), you may need to access the Azure Classic Portal (https://manage.windowsazure.com). However, accessing the classic portal requires an Azure Subscription connected to the tenant. Demo tenants provisioned after 3/2/2017 via demos.microsoft.com do not have connection to an Azure Subscription.If you need to access the Azure Classic Portal to manage your demo tenant, you will need to bring your own Azure Subscription and connect it to your tenant. Detailed steps are documented here.

Demo Setup StepsFor the first time1. Configure demo user personas in Azure Active Directory (Azure AD) and set up information

protection policies as detailed in Appendix 1.2. Prepare your Windows PC demo device as detailed in Appendix 2.3. [Optional] Prepare your demo tenant and iOS mobile device as detailed in Appendix 3.Prior to each demo presentationFollow these steps prior to each demo presentation to ensure a smooth and speedy demo experience:1. On your Windows PC:

a. Launch a new browser session and log into your tenant’s Azure Management Portal (https://portal.azure.com) as Global Admin (admin@<Tenant>.onmicrosoft.com and password).i. In the left navigation, click More Services.ii. In the results list, click Azure Information Protection.

b. Open a new browser tab (in the same session) and browse to your tenant’s Office 365 administration site (https://portal.office.com/Admin/Default.aspx).

c. Open a new browser tab (in the same session) and browse to your tenant’s SharePoint home page (https://<Tenant>.sharepoint.com).

d. Download demo assets from SharePoint to your local PC, as detailed in Appendix.e. Launch demo files and enable editing:

i. On your demo computer, open File Explorer and navigate to the downloaded demo assets.

ii. Double-click Customer Accounts.docx to open it in Word.iii. If prompted, sign in to Rights Management add-in as Isaiah Langer

(IsaiahL@<Tenant>.onmicrosoft.com and your tenant password).iv. If necessary, sign in to Office 365 as Isaiah Langer with the same credentials.v. In File Explorer, double-click Q3_Product_Strategy.docx to open in Word.vi. If prompted, click Enable Editing.

6

https://portal.office.com/Admin/Default.aspx

https://portal.azure.com/

http://emsassetspub.blob.core.windows.net/demoassets/How%20to%20Associate%20Your%20EMS%20Demo%20Tenant%20with%20an%20Azure%20Subscription.docx

https://manage.windowsazure.com/

http://emsassetspub.blob.core.windows.net/demoassets/EMS%20Demos%20Getting%20Started%20Guide.pptx

http://emsassetspub.blob.core.windows.net/demoassets/EMS%20Demos%20Getting%20Started%20Guide.pptx


vii. In File Explorer, double-click Credit Card.docx to open in Word.viii. If prompted, click Enable Editing.ix. Close all instances of Word.x. Keep File Explorer maximized and opened to the downloaded assets.

2. On your mobile device (iPad or iPhone):a. Launch Outlook app. Ensure you’re able to see Isaiah’s (IsaiahL@<Tenant>.onmicrosoft.com)

corporate mailbox.

Demo: Information Protection with Azure RMSOpeningToday, the exchange of critical corporate data is not contained within organizational boundaries. With trends such as outsourcing, you may need to share company confidential data with contractors and vendors. Because not all content needs the same protection, companies are challenged to identify which data needs protection and which data does not.Another trend is an increase in the number virtual organizations and virtual teams. For example, in a merger or acquisition scenario, a team may include members from the company that’s making the acquisition, the company being acquired, including individuals from legal, finance etc. The data that’s shared among these few people must remain with them only! Azure RMS addresses these needs by allowing you to collaborate securely within and outside of your organization. It secures corporate data at the file level so you can be rest assured the data is always protected–regardless of where its stored or whether it’s at rest or in transit. Document owners can encrypt a sensitive file and define who will have access. You can also define what level of permissions a recipient will have on the shared file. Additionally, with the new document tracking capability, you can track activities on the shared files and revoke access to those files if you notice any unexpected sharing.This gives you immense control over the files that you create and share with others.

Content ClassificationAzure Information Protection allows organizations to classify, label, and protect data at the time of creation or modification.With Azure Information Protection, users can:

Classify data based on sensitivity and add labels—manually or automatically. Encrypt sensitive data and define usage rights when needed. Apply protection easily without interrupting their normal course of work.

The organization also has access to detailed tracking and reporting so they can see what’s happening with the shared data to manage it better.Talk Track Click StepsContent Based Automatic Classification The data in this document includes social security numbers; data that Isaiah should treat with the highest confidentiality.In the Azure portal, an administrator can

1. Maximize File Explorer and double-click Customer Accounts.docx to open the document in Word.

2. In the SSN column, point to Social Security Numbers.

7


Talk Track Click Stepsapply predefined patterns, such as “Credit card numbers” or “USA Social Security Numbers” as a condition for automatic classification. Alternately, they can use text patterns and regular expressions to define a custom string or pattern. With Azure Information Protection, data classification and protection controls are integrated into Office and other common applications. This integration provides simple one-click options to secure data that users are working on. The Information Protection add-in shows the sensitivity for this document has not been set. The document has no policy associated with it yet.When Isaiah saves the document, Information Protection automatically classifies the document through a policy that his organization created in the Azure Management portal. The policy detected the social security numbers in the document so the notification is automatically labeled as Social Security Numbers. The Information Protection bar shows the sensitivity is now set to Social Security Numbers.The policy also added a watermark indicating the document is confidential. At the bottom, a footer also indicates it’s a confidential document.Azure Information Protection next protects the document. The file details show that a Rights Management template is applied, encrypting the document.All of this was done automatically when Isaiah saved the file with no input from him. Azure Information Protection has classified, labelled, and protected this document all in one step.

3. On the Ribbon, in the Protection group, point to the Protect icon.

4. On the grey Information Protection bar, point to the classification label: Sensitivity: Not Set.

5. In the top left, on the Quick Access Toolbar, click the Save icon.

6. On the yellow Information Protection bar, point to The file was automatically labeled as Social Security Numbers.

7. On the gray Information Protection bar, point to the classification label, Sensitivity: Social Security Numbers.

8. On the document background, point to the watermark, Confidential.

9. In the footer, point to the classification label, Sensitivity: Confidential.

10. On the Ribbon, click File and point to the yellow boxed Protect Document notification.NOTE: You must set the RMS template AND run the demo from a non-domain joined machine or a Windows 10 VM to see Protect Document enabled.

11. Close Customer Accounts.docx.

User Initiated Classification With Azure Information Protection, Isaiah can choose to manually label a document with a classification himself. He can then apply visual markings and control who has access to that content through Rights Management templates and permissions.

Isaiah opens the Q3 Product Strategy document. The Information Protection bar shows the sensitivity is not currently set. Anyone can open this document and see

1. Maximize File Explorer.2. Double-click Q3_Product_Strategy.docx to open in

Word.

8


Talk Track Click Stepsthe contents.

Isaiah can set the sensitivity to include everyone in his company or just to a specific group of employees, restricting who can see the document.

He selects Finance Only so only appropriate colleagues can see the data.

This adds the Secret watermark and a sensitivity footer.

He can also see the document is protected by a Rights Management template, so this document is encrypted and those without permission to see the document cannot view it.

Classification and protection information travels with the data. This ensures the data is protected at all times, regardless of where it is stored, who it is shared with, or which devices it is running on, iOS, Android, or Windows.

3. On the Information Protection bar, point to the classification label, Sensitivity: Not Set.

4. On the Information Protection bar, click Secret and point to the sub-labels.

5. Click Finance Only.6. On the Information Protection bar, point to the

classification label, Sensitivity: Secret-Finance Only.

7. On the document background, point to the watermark, Secret.

8. In the document footer, point to the classification label, Sensitivity: Secret.

9. On the Ribbon, click File and point to the yellow boxed Protect Document notification.

10. Close Q3_Product_Strategy.docx.11. When prompted to save changes click Don’t

Save.Content Based Recommended Classification The policies applied to information through Azure Information Protection can be applied automatically to data or they can raise an alert recommending the user apply the policy.

Isaiah opens a document that contains credit card numbers. The Information Protection add-in indicates the document is not currently set to any particular confidentiality.

Isaiah saves the document. As the file is saved, information protection recognizes that the document contains credit card data and makes an appropriate recommendation.

Isaiah clicks Change now, which applies the Credit Card Data policy to the document.

The policy stamps the document with a Confidential watermark and a Confidential footer at the bottom.

And also, a Rights Management template is applied to the document so it is protected and only available to individuals with the permissions specific to that template.

1. Maximize File Manager and navigate to the demo assets.

2. Double-click Credit Cards.docx to open in Word.3. On the gray Information Protection bar, point to

classification label, Sensitivity: Not Set.4. In the top left, on the Quick Access Toolbar, click

the Save icon.5. On the yellow Information Protection bar, point to

the recommendation to label file as Credit Card Data.

6. Click Change now.7. On the Information Protection bar, point to the

classification label, Sensitivity: Credit Card Data.8. On the document background, point to the watermark,

Confidential.9. In the document footer, point to the classification

label: Sensitivity: Confidential.10. On the Ribbon, click File and point to the yellow

boxed Protect Document notification.

9


Talk Track Click Steps11. Close Credit Cards.docx.12. When prompted to save changes click Don’t

Save.Re-classification and justification Isaiah opens the Sales and Marketing Expense Report presentation. He applies the Confidential policy to the presentation. The file is tagged as Confidential Sensitivity.The slides now have the Confidential footer.The File properties shown that the presentation is protected with the rights management When a classification is set on a document with Azure Information Protection that document is then protected by that particular policy setting. Sometimes a document policy may need to be changed later.Isaiah saves the deck with that policy associated with it.Document owners can track activities on shared data and revoke or change access when necessary.Isaiah can return later and relax that classification.When he edits the label, he can see the options to choose. He selects Internal. Organizations can further require users to give a justification for any changes that might lessen the sensitivity of a document’s classification.Since Internal is a lower sensitivity than the Confidential, he is prompted to explain why he is lowering the file’s classification.He can say no longer required or he can leave a message indicating the data is team confidential and can be shared internally.This information is logged and used for auditing purposes.The label is now changed to Internal. This change is reflected in the footer and the Rights Management template is removed from this presentation.

1. Maximize File Manager and navigate to the demo assets.

2. Double-click Q3 Sales and Marketing Expense Report Audit.pptx to open in PowerPoint.

3. On the Information Protection bar, click Confidential.

4. In the top left, on the Quick Access Toolbar, click the Save icon.

5. On the gray Information Protection bar, point to the classification label, Sensitivity: Confidential.

6. Navigate to the second slide.7. In the slide footer, point to the Sensitivity:

Confidential.8. On the Ribbon, click File and point to the yellow

boxed Protect Document notification.

9. Click the back arrow to return to editing the presentation.

10. On the Information Protection bar, click the Edit label ( ).

11. On the Information Protection bar, click Internal.

12. In the alert that appears click Other.13. Type This is no longer confidential and can

be shared internally.14. Click Confirm.

Admin ExperienceOrganizations can use the Azure Management Portal to configure all aspects of the policies, rules, and labels for Azure Information 1. Restore the Azure Management Portal browsing

10


Talk Track Click StepsProtection. On the main blade, Admins can specify a title and tooltip. The tooltip appears when users hover over the sensitivity setting on the left side of the Information Protection bar in Office applications. This feature is also provided to users when creating new classification labels.Additionally, if all documents and emails are required to have a label, an administrator can configure manual or automatic label classifications. They can also choose the default label value that is applied to all documents (new or unclassified) prior to any classification level changes.Optionally, they can require users provide justification when they lower a document’s sensitivity level. When they do this, the action and justification are logged.The sensitivity label order displayed in applications is based on the order in this label list from top to bottom (least level of sensitivity to highest level of sensitivity). So, because Confidential is more sensitive than Public, if Isaiah moves the sensitivity level of a document from Confidential to Public, he must justify this action.Admins can assign each label a unique color for easy visual recognition of the assigned sensitivity level.

They can also enable additional document security by attaching an RMS template to the policy. This will apply file-level encryption and allow only those with the appropriate permissions to access the document.After saving, the new label is added to the bottom of the label list. Dragging and dropping the label moves it to the appropriate severity position below Confidential.Admins can open the new classification label’s policy settings and customize the visual markings that will appear on the document. This includes a Header specifying the notification text and where it will display on the document and a customized Footer.

session opened to the Information Protection window.

2. Point to Label name and Tooltip fields.

3. Point to All documents and emails must have a label.

4. Click Select the default label drop-down and show list.

5. Point to the Label list.

6. Point to User must provide justification.

7. Under the Label list, click Add a new label. 8. In Label name text box, type Project Tailwind. 9. In Tooltip text box, type Information relating to

secret project Tailwind. 10. Click Color drop-down and show list. 11. Click Select RMS template drop-down and

select Contoso <Tenant> - Confidential. 12. On the Label blade, click Save. 13. On the Policy: Global blade, in the list of labels,

to the left of the Project Tailwind label, click and hold the ellipses and drag the Project Tailwind label up to above Confidential.

14. In the Label list, click Project Tailwind to open the settings blade.

15. Under Set visual markings section, set values as shown below. If not specified, leave all values not listed as their default setting: Documents with this label have a header: On Header text: Confidential: Project Tailwind Alignment: Center Document with this label have a footer: On Footer text: Confidential: Project Tailwind

11


Talk Track Click Steps

The final visual marking is to add a Watermark that displays diagonally across the center of the document.The final setting to configure is the condition to automatically apply this label. If no condition is set, the user can use the label to manually classify documents.But to ensure a document is automatically classified, admins should add a new condition. Azure offers a number of built-in conditions to choose, such as Credit Card Number, Social Security Number, or banking information. The built-in conditions are designed to recognize identified patterns, words, or phrases, and then classify the document(s) appropriately if the conditions are met.Azure also supports creating custom conditions that match an exact phrase or use a regular expression, such as classifying any documents that mention Project Tailwind. To demonstrate this, let’s create a new condition that classifies any document mentioning Project Tailwind as Confidential. Once saved, the condition is applied to the label.Admins can choose to automatically apply the label if a document contains Project Tailwind or set it as a Recommended label so Isaiah receives a tooltip that he should classify the file as Project Tailwind.After saving the label, publishing it deploys the label. Now when Isaiah creates or modifies a document that contains the words Project Tailwind, Azure Information Protection will recommend setting the proper Project Tailwind classification.

Documents with this label have a watermark: On

Watermark text: Confidential

16. Click Add a new condition.17. On the Condition blade, click the Select built-in

drop-down.

18. Set Choose the type of condition to Custom. 19. In the Name text box, type Tailwind Condition. 20. In the Match the exact following phrase text

box, type Project Tailwind.

21. On the Condition blade, click Save. 22. Set Select how this label is applied:

automatically or recommended to user to Recommended.

23. On the Label: Project Tailwind blade, click Save and close the blade.

24. Close the Policy: Global blade.25. On the Azure Information Protection blade,

click Publish.26. On the confirmation prompt, click Yes.

Enable Rights Management Integration with ExchangeTalk Track Click StepsRights Management protection is applied to email by applying an Azure Rights Management policy template to an email message. Usage rights are attached to the message itself so that protection occurs online and offline as well as inside and

Note: RMS for Exchange in your demo tenant is already activated. You may choose to skip step 5 below.1. Open PowerShell as an administrator.

12


Talk Track Click Stepsoutside of the organization’s firewall. After activating Azure Rights Management, the next step is to enable Rights Management in Exchange Online by using Windows PowerShell.Here are a few PowerShell cmdlets that do all of this.The first cmdlet configures the RMS Online key-sharing location in Exchange Online. The second cmdlet imports the Trusted Publishing Domain from RMS Online. The last cmdlet enables Rights Management in Exchange Online.

Lastly, I will test my configuration to make sure it works as expected. To do that, I will use the Test-IRMConfiguration cmdlet.

2. Run the following cmdlet in PowerShell:set-executionpolicy remotesigned

3. Run the following cmdlet in PowerShell:$LiveCred = Get-Credential

then provide your tenant’s Global Admin credentials.4. Run the following cmdlets in PowerShell:

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic –AllowRedirection

Import-PSSession $Session5. Run the following cmdlets in PowerShell:

Set-IRMConfiguration –RMSOnlineKeySharingLocation https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc

Import-RMSTrustedPublishingDomain -RMSOnline -name "RMS Online"

Set-IRMConfiguration -InternalLicensingEnabled $true

6. Run the following cmdlet in PowerShell: (this command will demonstrate how the tenant is configured)

Test-IRMConfiguration -sender user@<tenant>.onmicrosoft.com

Enable Rights Management Integration with SharePointTalk Track Click StepsSharePoint Online applies Rights Management protection at the list and library level. SharePoint Online Rights management relies on Azure Rights Management to encrypt and assign usage restrictions. Enabling Rights Management in SharePoint Online does not require Windows PowerShell. Instead, you can enable it in the SharePoint admin center.

This is where you enable Rights Management for SharePoint Online. The process is simple. Select Use the IRM service specified in your configuration, and then refresh the IRM settings.

Note: These steps are for review only. The tenant has already been configured with these settings.

1. Open https://portal.office.com in the browser.2. Log in as your demo tenant’s global administrator.3. Click on the Admin tile.4. In the left-hand navigation expand Admin centers.5. Click SharePoint.6. In the left-hand navigation click settings.7. In the Information Rights Management section,

click Use the IRM service specified in your configuration.

8. Click Refresh IRM Settings.9. Click OK.

Enable a SharePoint Library to use Rights ManagementWhen site owners enable Rights Management for a list or library, they can protect any

Note: These steps are for review only. The tenant has already been configured with these settings.

1. In Internet Explorer, open https://<Tenant>.sharepoint.com.

13


Talk Track Click Stepssupported file types in that list or library. When Rights Management is enabled for a library, rights management applies to all of the files in that library. When Rights Management is enabled for a list, rights management applies only to files that are attached to list items, not the actual list items.Rights Management is enabled in each the list or library settings page, for example this Documents library.On the Information Rights Management Settings page, enabling Rights Management is simple. Select the Restrict permissions on this library on download check box, provide a title and description, and save your settings.

2. Log in as your demo tenant’s global administrator.3. Click Documents to open the Documents library.4. On the LIBRARY ribbon, and click Library Settings.5. Click Information Rights Management.

6. In the Information Rights Management Settings page, check Restrict permissions on this library on download.

7. In the policy title text box, type Contoso Secure Documents demo.

8. Copy/paste this same text into the policy description text box.

9. Click the SHOW OPTIONS link to expand the list of options.

10. Click OK to save.

Define Departmental TemplatesTalk Track Click ThroughBy default, all users in your Azure directory see all the published templates. Users can then select templates from applications when they want to protect content. If you want only specific users to see some of the published templates, you must scope the templates to these users. Then, only these users will be able to select these templates. Other users that you do not specify will not see the templates and therefore cannot select them. This technique can make choosing the correct template easier for users, especially when you create templates that are designed to be used by specific groups or departments.

For example, we’ve created a template for the Finance department that applies the Read-only permission to members of the Finance department. We want only members of the Finance department to be able apply this template when they use the Rights Management sharing application. We do this by scoping the template to the email-enabled group named Finance Team. Then, only members of this group see and can apply this template.

1. Log in to the Azure Management portal as your test tenant’s global administrator.

2. In the left pane, click ACTIVE DIRECTORY.3. Click RIGHTS MANAGEMENT.4. Click on the demo tenant label to see Rights

Management administration page.5. Click TEMPLATES.6. Review currently installed templates:

7. Under Name, click Contoso - Sensitive.8. Click RIGHTS.9. Click ADD. 10. Select All Employees, and then click the arrow ().11. Under Assign rights to selected users and

groups, select Custom, and then click the arrow ().

12. Review the list of custom rights.13. Click the cancel (x) icon (do NOT save changes).14. Click SCOPE.15. Click CONFIGURE, and then scroll down to the

bottom of the page.16. Review the content expiration options.

14


Talk Track Click Through

17. Review the offline access options.

Document Tracking and RevocationTalk Track Click ThroughDocument tracking and revocation enables document owners to track activities on sensitive files that they have shared with others. They can view activities—such as recipients opening the file or unauthorized users being denied access to the files. They can also see the latest state of the files on a hosted site–whether the file is active, expired, or revoked can be viewed. Users can also view the geographical locations from which the files were accessed. With a single click, the document sender can also revoke access to a shared file.

Note: Use IsaiahL’s account. We will be demoing a static document tracking site with fabricated data.1. Open the web browser and navigate to the Document

tracking site, http://rmsdata.azurewebsites.net. 2. Show the summary page that shows activities on a

shared file.3. Show the timeline view that indicates the time

periods when the document was attempted to be accessed both successfully and unsuccessfully.

4. Show the map view that shows the geographical locations from where the file was attempted to be accessed both successfully and unsuccessfully.

5. Show the unsuccessful access attempt in Australia.6. and point out that the document was not expected to

be accessed there7. Revoke access to the shared file by clicking on the

Revoke access button8. Review the fields on the Revoke access page –

notification options etc.9. Click Confirm to revoke access to the file.

Foxit Redaction (optional)Talk Track Click ThroughSo far we’ve seen protecting data at the file level but now we’ll see protecting it at the text level. Redaction allows document owners to redact certain portions of RMS-protected files and share the file as PDF with intended recipients. The plugin can be downloaded from the Foxit software website and is extremely easy to install and use. This is a file that I want to share with my finance team. I also want to share it with some engineers, but I don’t want them to know the cost. They should be able to see everything else.It is very straightforward to configure Azure RemoteApp in the Azure Management Portal.

Note: Use corporate credentials for redaction and IsaiahL’s account for viewing the redacted copy.

1. Open a Word document that you want to redact a portion of.

2. On the Office ribbon, you’ll see a tab called – Foxit PDF.

3. Click on the tab and then click on Mark for Redaction.4. Select the items you want to redact.5. Choose the right template.6. Save the file as PDF and send it to Isaiah Langer.7. Log into Isaiah’s email and open the redacted PDF.8. You’ll notice the items you redacted are not visible to

Isaiah.

15

http://rmsdata.azurewebsites.net/


Protecting Siemens JT file formatTalk Track Click ThroughFor a long time, RMS was all about protecting Office files on Windows platforms only. But now, RMS can be used to protect any file type on any device platform. For some of these file types, we have to work with other applications–for example, CAD files. In the manufacturing, construction, and automotive industries, CAD is one of the most commonly-used file formats. So we’ve worked with Siemens to integrate RMS into the Siemens system itself. This is a JT file. It’s is a pdf version of a CAD file which can be opened in the JT2GO application that exists today on Windows and other platforms. Isaiah is going to send this file out as part of the bidding process. He doesn’t want suppliers to forward this to other companies. He can protect the file using Azure RMS.

Note: You can download sample JT files from your demo tenant’s SharePoint document library, located at https://<Tenant>.sharepoint.com/JTDesignDocs. 1. Right click on a JT file and start a share protected

workflow.2. Share the file with Isaiah’s account giving him view

only permission.3. Log to Isaiah’s email and open the file using JT2Go

application.4. Review the permissions on the file.

Demo Reset InstructionsFollow these steps to reset the demo after each presentation:

1. If you enabled Rights Protection in the SharePoint document library, go back to the library settings, then disable the rights protection checkbox option.

2. Close all files.3. Navigate to the Demo Deliverable backups and copy new versions to the File Manager location used

in the demo.4. Delete the Project Tailwind policy created during the Admin Experience of the Content

Classification presentation.

16


Appendix 1: Configure Your Demo TenantThese steps need to be performed only once per demo tenant and are required prior to performing demos or configuring devices for demoing.Add Your Authentication Phone and Email (for MFA verification) to Hero User:

1. Open a new browser session in InPrivate mode (<CTRL>+Shift+P).2. Sign in to https://myapps.microsoft.com portal as your demo persona

(IsaiahL@<tenant>.onmicrosoft.com or equivalent) and password.3. Click on the user icon menu (top-right corner), then select Profile.4. Click Set up self service password reset.5. Follow the on-screen prompts to set up Authentication Phone and Authentication Email.

Provide your real world mobile phone number.6. Click finish when completed.

Configure Information Protection Policies and LabelsNOTE: A non-domain joined PC or a Windows VM is required to show RMS and document protection demos using Office client applications.

1. Browse to https://portal.azure.com.2. If required, log in as the global administrator, admin@<Tenant>.onmicrosoft.com (corporate

account) and your tenant password.3. In the left navigation, click Browse then select Azure Information Protection.4. In the list of labels, click Confidential.5. On the right, in the Select RMS Template drop-down, select Contoso <Tenant> -

Confidential.6. At the top, on the Label blade, click Save.7. In the list of labels, click Secret.8. Set Select RMS Template to Contoso <tenant> - Confidential.9. On the Label blade, click Save and close the blade.

Update and Add Sub-Labels10. To the left of the Secret label, click the triangle to expand the row.11. Click on My Group to open the blade for the label.12. Change the Label name to External Permitted.13. Click out of the Label name text box and on the Label blade, click Save, and then close the

blade.14. On the right of the Secret label row, click the ellipsis and select Add a sub-label.15. Set the Label name to Finance Only.16. On the Label blade, click Save and close the blade.17. Click on the ellipsis on the right of the Secret label row.18. Select Add a sub-label.19. Set the Label name to HR Only.

17


mailto:IsaiahL@%3Ctenant%3E.onmicrosoft.com

https://myapps.microsoft.com/


20. Click out of the Label name text box and on the Label blade click Save, and then close the blade.

21. On the right of the Secret label row, click the ellipsis and select Add a sub-label.22. Select Add a sub-label.23. Set the Label name to Legal Only.24. Click out of the Label name text box and on the Label blade, click Save, and then close the

blade.Create Credit Card Data Policy

1. In the list of labels, click on the Credit Card Data label.2. Set Select RMS Template to Contoso <Tenant> - Confidential.3. On the Label blade, click Save and close the blade.

Create Social Security Number Policy1. In the list of labels, click on the Social Security Numbers label.2. Set Select RMS Template to Contoso <Tenant> - Confidential.3. On the Label blade, click Save and close the blade.4. Close the Policy: Global blade and then click Publish.5. When prompted, click Yes.

[Optional] Configure RMS TemplatesAt the time of this document (3/27/2017), only the Azure Classic Portal offers an user interface to create/manage custom RMS templates. To access your demo tenant from Azure Classic Portal, you’ll need to connect your tenant with an Azure subscription, as described here.In lieu of the Azure Classic Portal, you may also use PowerShell scripts to configure/manage RMS templates. Please view additional documentation on this topic at https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates.

18

https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates


Appendix 2: Configure Your Demo PC (Windows)If your organization is already RMS and AIP enabled and you use your domain joined account for the demo you cannot show document protection during content classification. In some cases, you may also encounter log in errors throughout the demo.To avoid conflicts, use a dedicated demo computer with a local account not associated with a Microsoft Account or any domain joined accounts.As an alternative you can use a Windows 10 VM for these demos.

Enable Document Protection for Content ClassificationTo demonstrate document protection during the content classification presentation, you will need to enable the RMS template for the labels.In addition, if your demo computer is domain joined to an on-premises Active Directory you cannot show document protection during content classification. You will need a dedicated demo computer with a local account or a Windows 10 VM.Create a Windows 10 VMIf you choose to use a Windows 10 VM to perform this demo, you may use Hyper-V service on your PC to host the VM. Detailed guidance is available on MSDN web site:

1. Install Hyper-V .2. Create a Virtual Switch .3. Create a Virtual Machine .

Once you’ve created and launched a Windows 10 VM, proceed with the setup of the VM as documented below.Enable RMS Templates on Information Protection LabelsRMS templates enable document protection during the content classification demos. By default, the RMS template is not set during provisioning to allow the content classification demo to run in all demo environments.To set the template and enable document protection:

1. On the demo computer, browse to https://portal.azure.com/.2. If required, log in as the global administrator, admin@<Tenant>.onmicrosoft.com (corporate

account) and your tenant password.3. In the left navigation, click Browse, then select Azure Information Protection.4. In the list of labels, click Secret.5. Set Select RMS Template to Contoso <tenant> - Confidential.6. On the Label blade, click Save and close the blade.7. Do steps 3 – 5 for the Credit Card Data, Social Security Numbers, and the Confidential labels.

Create a Local AccountOn the demo computer, create a Local Account not associated with a Microsoft Account or domain joined account to avoid conflicts and issues.Make this local account an Admin on the machine.

19

https://support.microsoft.com/en-us/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-account-in-windows-10


https://msdn.microsoft.com/en-us/virtualization/hyperv_on_windows/quick_start/walkthrough_create_vm

https://msdn.microsoft.com/en-us/virtualization/hyperv_on_windows/quick_start/walkthrough_virtual_switch

https://msdn.microsoft.com/en-us/virtualization/hyperv_on_windows/quick_start/walkthrough_install


1. Press Start.2. Type Users, and then select Add, edit, or remove other users.3. Under Other users, click the new local account. 4. Click Change account type.5. Click Account type and select Administrator.6. Click OK.7. Close Settings window.

Sign in to Office ApplicationYou will need to add IsaiahL@<Tenant>.onmicrosoft.com account to the Office client applications:

1. On the demo computer, start Word 2016.2. In the upper right, click Sign in.3. In the Accounts dialog, click Add Account.4. In the Sign in dialog, add Isaiah Langer’s log in information:

IsaiahL@<Tenant>.onmicrosoft.com, and then click Next.5. When prompted, type in your tenant password.

Download Demo AssetsYour demo tenant ships with some sample documents to help you showcase Information Protection scenarios easily:

1. Navigate to https://<Tenant>.sharepoint.com/RMSDemoLib/.2. Download the following four files locally to your demo PC:

a. Credit Cards.docxb. Customer Accounts.docxc. Q3 Sales and Marketing Expense Report Audit.pptxd. Q3_Product_Strategy.docx

3. Make a local backup copy of all four files for re-usability.

Install the Information Protection Add-in for PCNote: From 12/7/16 the RMS Sharing Add-in and the Azure Information Protection add-in have been unified as a single add-in. If you have the previous versions of the add-ins you should uninstall them and install the unified add-in.Microsoft Azure Information Protection is an add-in on the Microsoft Office applications’ Home Ribbon, as shown below. If you already see this on your PC, you don’t need to download the app.

To download/install the application:1. Navigate to http://www.microsoft.com/en-us/download/details.aspx?id=53018.

20

http://www.microsoft.com/en-us/download/details.aspx?id=53018


2. Click Download and follow the Install Instructions on the download page.3. The install file for the unified Information Protection package is

AzInfoProtection_PREVIEW_1.3.56.0.exeTo verify the add-in is installed and “bootstrapped” correctly:

1. Close all Office applications in your demo PC/VM.2. In File Explorer, locate an Office document (any sample file will do).3. Right-click on the file, and choose Protect with RMS > Protect in-place > Company-defined

Protection.4. In the Azure Information Protection pop-up window, type in the email of your Demo Persona and

password, then click Sign in.o Email Address: IsaiahL@<Tenant>.onmicrosoft.como Password: your tenant password

5. By signing in, this should have initialized the Azure Information Protection add-in on this PC. 6. Click Cancel.

A key scenario of the Azure RMS demo is the ability to share rights-protected documents to others users–both internal to the organization and external–via email. If you are a Microsoft full time employee (FTE) user and using your everyday PC to perform this demo, you most likely have a license to share RMS protected content (and your PC is set up appropriately). You may use your corporate account and Outlook to send share protected files to your demo persona.If you are not using your everyday PC or do not have RMS license through your organization, don’t worry – your demo environment and the fictitious Contoso organization comes licensed for RMS out-of-the-box.The following table summarizes possible scenarios for performing your RMS sharing demos (and required setup accordingly):If you are… Send RMS content as Receive RMS content as Setup RequiredMicrosoft FTE using your everyday PC

You @ Microsoft.com through your Outlook app

IsaiahL@<Tenant>.onmicrosoft.com

Setup Outlook profile for IsaiahL

Non-Microsoft user or MSFT user not using everyday PC

IsaiahL@<Tenant>.onmicrosoft.com

EmilyB@<Tenant>.onmicrosoft.com

Download/install Information Protection add-in to PCSet up Outlook profile for EmilyBSet up Outlook Profile for IsaiahL

Set up Outlook Profile for Demo Persona1. Launch the Outlook application on your PC.2. In Outlook, go to File > Info > Add Account.3. Fill in the Auto Account Setup form as follows:

a. Your Name: Isaiah Langerb. Email Address: IsaiahL@<Tenant>.onmicrosoft.comc. Password: your tenant password

4. Click Next.5. Wait for auto-discover service to resolve the account settings.6. In the pop-up window, type in your tenant password one more time.

21


7. Check Remember Password option, then OK.8. Restart Outlook when prompted.

Appendix 3: Configure Your Demo Device (iOS)iOS Device Requirements

iPad or iPhone running latest versions of iOS. Access to your demo persona’s (IsaiahL) mailbox (preferably via Outlook mobile app) Azure Information Protection AppYou will be consuming RMS protected documents as the user IsaiahL. You’ll need to ensure your device has the Azure Information Protection App installed, and configured for your demo persona, Isaiah Langer.

Install/Configure Outlook App1. If necessary, go to the iOS App Store and install the Outlook App from the App Store2. Launch the app, then sign in using IsaiahL’s Office 365 credentials

(IsaiahL@<Tenant>.onmicrosoft.com and your tenant password).3. If you see a prompt to enroll the device, proceed with Intune device enrollment.

Note: Access to IsaiahL’s inbox is governed by a Conditional Access policy whereby the device has to be enrolled before email can be accessed. For more information, please refer to the Managed Mobile Productivity (Intune) demo guide.

4. Once device enrollment is complete, re-launch Outlook App. 5. Set up a 4-digit App PIN (e.g. 1111) and continue.

Install/Configure Azure Information Protection App1. If necessary, go to the iOS App Store and install the Azure Information Protection app.2. Launch the app.3. When prompted, type in the sign-in info: IsaiahL@<Tenant>.onmicrosoft.com and your tenant

password.4. Important: check Remember Me checkbox, then Sign In.5. Go back to Outlook app and open a rights-protected attachment. If you don’t see a rights-protected

message, go back to Outlook on the PC and send a rights protected attachment to IsaiahL.6. If the attachment is a Word document, ensure you’re able to open the attachment in the Word app

on your mobile device.You have now successfully set up and smoke tested your demo tenant and demo devices. We recommend you proceed with a run-through of the demo steps to familiarize yourself with the demo.

22

Demo Overview: Information Protection -...

Documents

Transcript of Demo Overview: Information Protection -...